On 10/14/2011 07:10 AM, Hugo Deprez wrote:
Hello,
On the provider I have the following settings :
TLSCACertificateFile /etc/ssl/certs/ldap-cert.pem TLSCertificateFile /etc/ssl/certs/ldap-cert.pem TLSCertificateKeyFile /etc/ldap/ssl/ldap-key.pem
but no TLSCipherSuite defined.
That should be fine. You don't need to define a TLSCipherSuite
I added the starttls=yes on the consumer :
Syncrepl rid=003 provider=ldaps://ldap.mydomain.fr:1024/ type=refreshOnly retry="60 10 600 +" interval=00:00:00:10 searchbase="dc=mydomain,dc=fr" scope=sub schemachecking=on bindmethod=simple starttls=yes
You should have starttls=critical or it will attempt to fallback to plain LDAP if it cannot establish TLS.
tls_cert=/etc/ssl/certs/ldap-cert.pem
You should not have tls_cert here, since you are trying to use dn/password auth. tls_cert is useless without tls_key anyway.
tls_cacert=/etc/ssl/certs/ldap-cert-ca.pem binddn="cn=syncrepluser,o=others,dc=mydomain,dc=fr" credentials=my_password
But still the same error.
Any idea ?
Hugo On 14 October 2011 13:52, Olivier Guillardolivier@guillard.nom.fr wrote:
Hi,
Have you set up the follwing appropriately :
TLSCertificateFile TLSCertificateKeyFile TLSCipherSuite
On the provider ?
You probably also want to set this up correctly in your syncrepl section :
starttls=yes tls_cacert=/path/to/certificate
I suspect better if TLS_CACERT is also properly set up in both ldap server slapd config.
Olivier
On Thu, Oct 13, 2011 at 6:38 PM, Hugo Deprezhugo.deprez@gmail.com wrote:
Dear community,
I setup a syncrepl between my master openldap server and a consumer.
I am trying to use SSL for this syncrepl I got the following error in the log when I start slapd on the consumer :
Oct 13 17:04:59 server slapd[16905]: slapd starting Oct 13 17:04:59 server slapd[16905]: slap_client_connect: URI=ldaps://ldap.mydomain.fr:1024/ DN="cn=syncrepluser,o=others,dc=mydomain,dc=fr" ldap_sasl_bind_s failed (-1) Oct 13 17:04:59 server slapd[16905]: do_syncrepl: rid=003 rc -1 retrying (9 retries left)
I don't understand why it is failing as a single ldapsearch from the same server with the syncrepl user is working.
here is my syncrepl configuration :
Syncrepl rid=003 provider=ldaps://ldap.mydomain.fr:1024/ type=refreshOnly retry="60 10 600 +" interval=00:00:00:10 searchbase="dc=mydomain,dc=fr" scope=sub schemachecking=on bindmethod=simple binddn="cn=syncrepluser,o=others,dc=mydomain,dc=fr" credentials=my_password
Any idea ?
Regards,
Hugo